How do I protect my login page from prying eyes (forms authentication)?

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: Alan Silver <alan-silver@xxxxxxxxxxxx>
Date: Tue, 3 Jan 2006 13:07:29 +0000

Hello,

Sorry this is a bit wordy, but it's a pretty simple question...

I have a web site, http://domain/ which is a public site, part of which (http://domain/a/) is protected by forms authentication.

I would like to configure it so that anyone not logged in, trying to access the protected part will not be redirected to the login page, but will be sent to the main site's home page. The reason is because I have a page in the protected part where the site owner prints out order details to send to the customer. As most browsers put the URL at the bottom of a printed web page, the customer will see http://domain/a/orders.aspx?orderid=23 and will then try to load that page. If they are redirected to a login page, it encourages hackers to try and break in. If they are redirected to the main home page, or given a 404, they will not know of the existence of the protected part.

So, any ideas how I do this? I tried setting the loginUrl (in web.config) to the home page, but this stops anyone from logging in, even if they enter the URL to the login page.

Currently, the main site does not have a web.config, and the protected part (which is a separate application) has the following...

<configuration>
  <system.web>
    <compilation defaultLanguage="c#" />
    <authentication mode="Forms">
      <forms loginUrl="~/Login.aspx" />
    </authentication>
    <authorization>
      <deny users="?"/>
    </authorization>
  </system.web>
</configuration>

This works, except it shows the login page to everyone. Any idea how I can prevent this? TIA

--
Alan Silver
(anything added below this line is nothing to do with me)
.

Follow-Ups:
- Re: How do I protect my login page from prying eyes (forms authentication)?
  - From: Damien
- Re: How do I protect my login page from prying eyes (forms authentication)?
  - From: KMA

Prev by Date: Re: Get the client PC Windows user name and PC Name.
Next by Date: customize repeater for printing
Previous by thread: RE: Machine.config and customErrors
Next by thread: Re: How do I protect my login page from prying eyes (forms authentication)?
Index(es):
- Date
- Thread

Relevant Pages

Re: HTTP_REFERER question
... there are clients that do not sent HTTP_REFERER. ... doing an authentication based on ... > On our web site we allow our members access to features hosted by another ... When our users login to go to the other site, ...
(microsoft.public.inetserver.asp.general)
Re: Pass credentials from one web site to another for seamless login
... What sort of authentication mechanism does the other site provide? ... If it has a login screen, then in order to create an authenticated session ... > through the web site in my company. ... > this other site which uses those credentials to log me in so that I don't ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: FormsAuthentication client-side problem
... >> I'm using FormsAuthentication to secure access to a web site. ... >> authentication process works correctly initially. ... >> browser), they are allowed into that page. ... then it correctly kicks them to the login page. ...
(microsoft.public.dotnet.framework.aspnet.security)
Advanced Forms Authentication
... I've got a web site with URLs like the following: ... scheme makes it look like each customer has their own "directory" on the web ... The problem is that Forms Authentication seems to require a hard-coded login ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Using Java to supply username and password to login to a web site
... > web site and manipulate the data on that site. ... a form login? ... HTTP digest authentication? ...
(comp.lang.java.programmer)